September 2018 Code Aurora Security Bulletin

By September 4, 2018Security Bulletin

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-13077, CVE-2017-13078, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 Mathy Vanhoef, Frank Piessens
CVE-2017-15818, CVE-2017-15825, CVE-2017-15828, CVE-2018-3573 derrek (https://twitter.com/derrekr6)
CVE-2017-15844, CVE-2018-11275, CVE-2018-3586 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.
CVE-2018-11265 Baozeng Ding (sploving)
CVE-2018-11270, CVE-2018-11273, CVE-2018-11276, CVE-2018-11286, CVE-2018-11295, CVE-2018-11301, CVE-2018-11832, CVE-2018-3570 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2018-11293, CVE-2018-11297, CVE-2018-11302 Gengjia Chen ( @chengjia4574 ), pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2018-11298, CVE-2018-11300, CVE-2018-11904, CVE-2018-3574 Hao Chen(@flankersky) and Guang Gong(@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd.
CVE-2018-11818 Pengfei Ding (丁鹏飞), Chenfu Bao (包沉浮), and Lenx Wei (韦韬) of Baidu X-Lab (百度安全实验室).
CVE-2018-11886 Gengjia Chen ( @chengjia4574 ) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2018-11893 C0RE Team
CVE-2018-11902 Dokyung Song, Dipanjan Das, Felicitas Hetzelt
CVE-2018-3597 Peter Pi of Tencent Security Platform Department
CVE-2018-5905 dingpengfei

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-13077 Critical WLAN HOST 8/25/2017
CVE-2017-13078 Critical WLAN HOST 8/25/2017
CVE-2017-13080 Critical WLAN HOST 8/25/2017
CVE-2017-13082 Critical WLAN HOST 8/25/2017
CVE-2017-13086 Critical WLAN HOST 8/25/2017
CVE-2017-13087 Critical WLAN HOST 8/25/2017
CVE-2017-13088 Critical WLAN HOST 8/25/2017
CVE-2017-15818 High Trusted Execution Environment 7/17/2017
CVE-2017-15825 Medium Boot 8/13/2017
CVE-2017-15828 Medium Trusted Execution Environment 8/6/2017
CVE-2017-15844 Medium Boot 10/13/2017
CVE-2018-11265 Medium Qualcomm IPC 3/6/2018
CVE-2018-11270 Medium Connectivity 3/1/2018
CVE-2018-11273 Medium Audio 2/7/2018
CVE-2018-11274 High Audio Internal
CVE-2018-11275 High Boot 3/26/2018
CVE-2018-11276 Medium Kernel 2/7/2018
CVE-2018-11278 High Video Internal
CVE-2018-11280 High Data Network Stack & Connectivity Internal
CVE-2018-11281 High Data Network Stack & Connectivity Internal
CVE-2018-11286 Medium Video 4/12/2017
CVE-2018-11293 Medium WLAN HOST 12/12/2017
CVE-2018-11294 Medium WLAN HOST Internal
CVE-2018-11295 High WLAN HOST 2/2/2018
CVE-2018-11296 High WLAN HOST Internal
CVE-2018-11297 High WLAN HOST 12/12/2017
CVE-2018-11298 Medium WLAN HOST 1/16/2018
CVE-2018-11299 High WLAN HOST Internal
CVE-2018-11300 Medium WLAN HOST 12/28/2017
CVE-2018-11301 Medium WLAN HOST 1/11/2018
CVE-2018-11302 Medium WLAN HOST 2/27/2018
CVE-2018-11818 Medium Display 12/13/2017
CVE-2018-11826 High WLAN HOST Internal
CVE-2018-11827 High WLAN HOST Internal
CVE-2018-11832 Medium PMIC 2/28/2018
CVE-2018-11836 High WLAN HOST Internal
CVE-2018-11840 High WLAN HOST Internal
CVE-2018-11842 High WLAN HOST Internal
CVE-2018-11843 High WLAN HOST Internal
CVE-2018-11851 High WLAN HOST Internal
CVE-2018-11852 High WLAN HOST Internal
CVE-2018-11860 High WLAN HOST Internal
CVE-2018-11863 High WLAN HOST Internal
CVE-2018-11868 High WLAN HOST Internal
CVE-2018-11869 High WLAN HOST Internal
CVE-2018-11878 High WLAN HOST Internal
CVE-2018-11883 High WLAN HOST Internal
CVE-2018-11886 High WLAN HOST 3/1/2018
CVE-2018-11889 High WLAN HOST Internal
CVE-2018-11891 High WLAN HOST Internal
CVE-2018-11893 Medium WLAN HOST 4/20/2018
CVE-2018-11894 High WLAN HOST Internal
CVE-2018-11895 High WLAN HOST Internal
CVE-2018-11897 High WLAN HOST Internal
CVE-2018-11898 High WLAN HOST Internal
CVE-2018-11902 High WLAN HOST 4/3/2018
CVE-2018-11903 High WLAN HOST Internal
CVE-2018-11904 High WLAN HOST 1/22/2018
CVE-2018-3570 Medium Power 11/10/2017
CVE-2018-3573 Medium Boot 10/2/2017
CVE-2018-3574 Medium Kernel 11/1/2017
CVE-2018-3586 Medium DSP Service 10/25/2017
CVE-2018-3597 High DSP Service 11/2/2017
CVE-2018-5889 High Boot Internal
CVE-2018-5905 Medium Core Services 12/8/2017

CVE-2017-13077

CVE ID CVE-2017-13077
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur during the 4-way handshake of the WPA2 protocol.
Technology Area WLAN HOST
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-13078

CVE ID CVE-2017-13078
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur during the 4-way handshake of the WPA/WPA2 protocol.
Technology Area WLAN HOST
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-13080

CVE ID CVE-2017-13080
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur during the 4-way handshake and the group key handshake of the WPA/WPA2 protocol.
Technology Area WLAN HOST
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-13082

CVE ID CVE-2017-13082
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur during the Fast BSS transmission handshake of the WPA/WPA2 protocol.
Technology Area WLAN HOST
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-13086

CVE ID CVE-2017-13086
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur during the TDLS handshake of the WPA/WPA2 protocol.
Technology Area WLAN HOST
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-13087

CVE ID CVE-2017-13087
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur while processing Wireless Network Management Sleep Mode Response frames.
Technology Area WLAN HOST
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-13088

CVE ID CVE-2017-13088
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur while processing Wireless Network Management Sleep Mode Response frames.
Technology Area WLAN HOST
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Patch

CVE-2017-15818

CVE ID CVE-2017-15818
Title Interger Overflow to Buffer Overflow in Core
Description While loading a user application in qseecom, an integer overflow could potentially occur if the application partition size is rounded up to page_size.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 7/17/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-15825

CVE ID CVE-2017-15825
Title Out of bounds access when accessing partition entries in update gpt
Description While processing a gpt update, an out of bounds memory access may potentially occur.
Technology Area Boot
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 8/13/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-15828

CVE ID CVE-2017-15828
Title Integer Overflow to Buffer Overflow vulnerability in bootloader
Description While accessing the keystore in LK, an integer overflow vulnerability exists which may potentially lead to a buffer overflow.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 8/6/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-15844

CVE ID CVE-2017-15844
Title Potential information disclosure in write_device_info_flash()
Description In the function write_device_info_flash(), uninitialized memory can be written to flash.
Technology Area Boot
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 10/13/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-11265

CVE ID CVE-2018-11265
Title Buffer Copy Without Checking Size of Input in Core
Description Possible buffer overflow while incrementing the log_buf of type uint64_t in memcpy function, since the log_buf pointer can access the memory beyond the size to store the data after pointer increment.
Technology Area Qualcomm IPC
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 3/6/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-11270

CVE ID CVE-2018-11270
Title Double Free in Wired Connectivity
Description Memory allocated with devm_kzalloc is automatically released by the kernel if the probe function fails with an error code. This may result in data corruption.
Technology Area Connectivity
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 3/1/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-11273

CVE ID CVE-2018-11273
Title Double Free in Audio
Description voice_svc_dev’ is allocated as a device-managed resource. If error ‘cdev_alloc_err’ occurs, ‘device_destroy’ will free all associated resources, including ‘voice_svc_dev’ leading to a double free.
Technology Area Audio
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 2/7/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-11274

CVE ID CVE-2018-11274
Title Buffer Copy Without Checking Size of Input in Audio
Description Buffer overflow may occur when payload size is extremely large such as 2^31 -1.
Technology Area Audio
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11275

CVE ID CVE-2018-11275
Title Information Exposure in Boot
Description When flashing image using FastbootLib if size is not divisible by block size, information leak occurs.
Technology Area Boot
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported 3/26/2018
Customer Notified Date 7/2/2018
Patch

CVE-2018-11276

CVE ID CVE-2018-11276
Title Double Free Issue in Kernel
Description Double free of memory allocated with devm_kzalloc() is possible in arm_memlat_mon_driver_probe() when it explicitly tries to free that memory using kfree() on driver probe failure, since memory allocated with devm_kzalloc() is automatically freed on probe failures.
Technology Area Kernel
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 2/7/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-11278

CVE ID CVE-2018-11278
Title Buffer Over-read in Video
Description Venus HW searches for start code when decoding input bit stream buffers. If start code is not found in entire buffer, there is over-fetch of 512 bytes beyond allocation length. This leads to page fault.
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Patch

CVE-2018-11280

CVE ID CVE-2018-11280
Title Improper Input Validation in MODEM
Description While processing user-space IPA IOCTL IPA_IOC_ALLOC_NAT_TABLE there is no size validation of the NAT entry input. If the user input size of the NAT entry is greater than the max allowed size of 64K, memory exhaustion will occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Patch

CVE-2018-11281

CVE ID CVE-2018-11281
Title Use After Free in Data
Description While calling IPA_IOC_MDFY_RT_RULE IPA IOCTL, header entry is not checked before use. If IPA_IOC_MDFY_RT_RULE IOCTL called for header entries formerly deleted, a Use after free condition will occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Patch

CVE-2018-11286

CVE ID CVE-2018-11286
Title Use After Free in Video
Description While accessing global variable “debug_client” in multi-thread manner, Use after free issue occurs
Technology Area Video
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 4/12/2017
Customer Notified Date 7/2/2018
Patch

CVE-2018-11293

CVE ID CVE-2018-11293
Title Buffer Over-read in WLAN
Description In wma_ndp_confirm_event_handler and wma_ndp_indication_event_handler, ndp_cfg len and num_ndp_app_info is from fw. If they are not checked, it
may cause buffer over-read once the value is too large.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector AdjacentNetwork
Security Rating Medium
Date Reported 12/12/2017
Customer Notified Date 6/4/2018
Patch

CVE-2018-11294

CVE ID CVE-2018-11294
Title Always-Incorrect Control Flow Implementation in WLAN
Description wma_unified_link_iface_stats_event_handler indication from the firmware gets the information for 4 access categories ( num_ac = WIFI_AC_MAX ) . While processing this information only the first 3 AC information is copied due to the improper conditional logic used to compare with the max number of categories (WIFI_AC_MAX).
Technology Area WLAN HOST
Vulnerability Type CWE-670 Always-Incorrect Control Flow Implementation
Access Vector AdjacentNetwork
Security Rating Medium
Date Reported Internal
Customer Notified Date 6/4/2018
Patch

CVE-2018-11295

CVE ID CVE-2018-11295
Title Integer Overflow to Buffer Overflow in WLAN
Description wma_passpoint_match_event_handler carries a fixed event data from the firmware to the host . If the length and anqp length from this event data exceeds the max length of this fixed data WMI_SVC_MSG_MAX_SIZE , an OOB write would happen.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 2/2/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-11296

CVE ID CVE-2018-11296
Title Buffer Copy without Checking Size of Input in WLAN
Description While processing a message from firmware in htt_t2h_msg_handler_fast(), a buffer overwrite can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Patch

CVE-2018-11297

CVE ID CVE-2018-11297
Title Buffer Over-read in WLAN
Description A buffer over-read can occur In the WMA NDP event handler functions due to lack of validation of input value event_info which is recieved from FW.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
Date Reported 12/12/2017
Customer Notified Date 6/4/2018
Patch

CVE-2018-11298

CVE ID CVE-2018-11298
Title Possible Buffer Overflow in WLAN
Description While processing SET_PASSPOINT_LIST vendor command HDD does not make sure that the realm string that gets passed by upper-layer is NULL terminated. This may lead to buffer overflow as strlen is used to get realm string length to construct the PASSPOINT WMA command.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 1/16/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-11299

CVE ID CVE-2018-11299
Title Improper Validation of Array Index in WLAN
Description When WLAN FW has not filled the vdev id correctly in stats events then WLAN host driver tries to access interface array without proper bound check which can lead to invalid memory access and as a side effect kernel panic or page fault
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Patch

CVE-2018-11300

CVE ID CVE-2018-11300
Title Possible Use After Free in WLAN
Description It is observed that the callback executed from the other thread has freed “cfgState->remain_on_chan_ctx,” which is also used in wlan_hdd_execute_remain_on_channel and may
result in to a “Use after free” scenario.
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 12/28/2017
Customer Notified Date 6/4/2018
Patch

CVE-2018-11301

CVE ID CVE-2018-11301
Title Integer Underflow in WLAN
Description While processing debug log event (WMI_DEBUG_MESG_EVENTID) from firmware:
(a) If the value of length field extracted from the event buffer is less than the size of Integer, Integer underflow can occur.
(b) If the size of number of debug log arguments calculated is greater than the event buffer size, a buffer over-read can occur.
Technology Area WLAN HOST
Vulnerability Type CWE-191 Integer Underflow (Wrap or Wraparound)
Access Vector Local
Security Rating Medium
Date Reported 1/11/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-11302

CVE ID CVE-2018-11302
Title Buffer Copy Without Checking Size of Input in WLAN
Description When SETCCKMIE command comes from user space, length of the command is compared with “DOT11F_IE_RSN_MAX_LEN” and this command is passed to csr where the memcopy is being done for the length of “CSR_DOT11F_IE_RSN_MAX_LEN” which is smaller then “DOT11F_IE_RSN_MAX_LEN” and resulting in array overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 2/27/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-11818

CVE ID CVE-2018-11818
Title Use After Free in Display
Description LUT configuration is passed down to driver from userspace via ioctl. Simultaneous update from userspace while kernel drivers are updating LUT registers can lead to race condition.
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 12/13/2017
Customer Notified Date 7/2/2018
Patch

CVE-2018-11826

CVE ID CVE-2018-11826
Title Potential buffer overflow in wma_extscan_change_results_event_handler
Description In wma_extscan_change_results_event_handler the rssi_num is calculated by cumulating the src_chglist->num_rssi_samples for the number of aps(numap) in this event.
If the src_chglist->num_rssi_samples is higher than UINT_MAX or is negative, it will lead to integer overflow of rssi_num which could cause OOB write on the destination buffer.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11827

CVE ID CVE-2018-11827
Title Improper Validation of Array Index in WLAN
Description wma_roam_synch_event_handler carries vdev_id as part of the synch event fixed_param to correspond the roam indication event to upper layer.If the value of vdev_id exceeds the wma->max_bssid value of 5, then an OOB write would happen.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11832

CVE ID CVE-2018-11832
Title Buffer Copy Without Checking Size of Input in PMIC
Description Lack of input size validation before copying to buffer in reg_debug_volt_get() function can lead to heap overflow
Technology Area PMIC
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 2/28/2018
Customer Notified Date 7/2/2018
Patch

CVE-2018-11836

CVE ID CVE-2018-11836
Title Uncontrolled Resource Consumption in WLAN
Description Improper length check can lead to out-of-bounds acess in ipa3_release_wdi_mapping
Technology Area WLAN HOST
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11840

CVE ID CVE-2018-11840
Title Double Free in WLAN
Description While processing the GETIBSSPEERINFOALL wlan driver command ioctl a temporary buffer used to construct the reply message may be freed twice.
Technology Area WLAN HOST
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11842

CVE ID CVE-2018-11842
Title Use of Uninitialized Variable in WLAN
Description During wlan association , driver allocates memory in API lim_send_assoc_req_mgmt_frame. In case the mem allocation fails driver does a mem free though the memory was not allocated.
Technology Area WLAN HOST
Vulnerability Type CWE-457 Use of Uninitialized Variable
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11843

CVE ID CVE-2018-11843
Title Possible Use-After-Free in wma_vdev_start_resp_handler
Description wma_vdev_start_resp_handler invokes wma_send_msg which frees req_msg->user_data while handling hidden_ssid_vdev_restart event.
If this req_msg->user_data is used again for other req->msg_type message types, then a possible use-after-free can occur in wma_vdev_start_resp_handler.
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11851

CVE ID CVE-2018-11851
Title Buffer Copy Without Checking Size of Input in WLAN
Description The driver fills the mcs_set array in hdd_update_tgt_ht_cap() for all rf_chains and does not have a upper boundary check to cfg->num_rf_chains, which could lead to out of bound write to the kernel stack.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11852

CVE ID CVE-2018-11852
Title Buffer Copy Without Checking Size of Input in WLAN
Description Improper check In the API wma_process_pdev_hw_mode_trans_ind for the inputs received from the firmware and then fills the same to the host structure
hw_mode_trans_ind will lead to OOB write.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11860

CVE ID CVE-2018-11860
Title Buffer Copy Without Checking Size of Input in WLAN
Description A potential buffer over flow could occur while processing the ndp event due to lack of check on the message length.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11863

CVE ID CVE-2018-11863
Title Potential buffer overflow in wma_fill_roam_synch_buffer
Description In wma_fill_roam_synch_buffer, fils_info is received from the FW as part of roam synch event and contains kek_len and pmk_len. These lengths are used to copy the kek and pmk from the FW buffer to the roam_synch_ind_ptr (of kek length SIR_KEK_KEY_LEN_FILS and pmk length SIR_PMK_LEN) respectively.

If the kek_len exceeds the SIR_KEK_KEY_LEN_FILS or pmk_len exceeds the SIR_PMK_LEN value, a buffer overwrite would occur during memcpy.

Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11868

CVE ID CVE-2018-11868
Title Possible buffer overflow in wma_nan_rsp_event_handler
Description Due to an issue in firmware the NAN rsp event sent by firmware may have invalid data length. Due to invalid length, buffer overflow occurs upon data copy when the data length is smaller than (WMI_SVC_MSG_MAX_SIZE – wmi_nan_event_hdr size) but is greater than (WMI_SVC_MSG_MAX_SIZE – wmi_nan_event_hdr – WMI_TLV_HDR_SIZE).
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11869

CVE ID CVE-2018-11869
Title Possible buffer overflow in wma_stats_ext_event_handler
Description Due to an issue in firmware the extended stats event sent by firmware may have invalid data length. Due to invalid length, buffer overflow occurs upon data copy when the data length is smaller than (WMI_SVC_MSG_MAX_SIZE – wmi_stats_ext_event_fixed_param size) but is greater than (WMI_SVC_MSG_MAX_SIZE – wmi_stats_ext_event_fixed_param – WMI_TLV_HDR_SIZE).
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11878

CVE ID CVE-2018-11878
Title Return of Stack Variable Address in WLAN
Description Possibility of invalid memory access while processing driver command GETFWSTATS and GETBCNMISSRATE in WLAN function
Technology Area WLAN HOST
Vulnerability Type CWE-562 Return of Stack Variable Address
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11883

CVE ID CVE-2018-11883
Title Improper Input Validation in WLAN
Description In policy mgr unit test if mode parameter in iwpriv wlan0 pm_pcl is given an out of bound value it can cause a out of bound access while accessing the PCL table.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11886

CVE ID CVE-2018-11886
Title Integer Overflow to Buffer Overflow in WLAN
Description In function wma_form_rx_packet, mpdu_data_len is calculated as (buf_len – mpdu_hdr_len). If the value of buf_len is less than mpdu_hdr_len, then a integer underflow would occur while calculating mpdu_data_len leading to very large value of mpdu_data_len.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 3/1/2018
Customer Notified Date 7/2/2018
Patch

CVE-2018-11889

CVE ID CVE-2018-11889
Title Return of Stack Variable Address in WLAN
Description When requesting rssi timeout, access invalid memory may occur
since local variable ‘context’ stack data of wlan_hdd_get_peer_info() is free
Technology Area WLAN HOST
Vulnerability Type CWE-562 Return of Stack Variable Address
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11891

CVE ID CVE-2018-11891
Title Potential OOB read in update_fils_data
Description In function update_fils_data, fils_indication->num_variable_data is the actual length of the data present in the array variable_data. While accessing variable_data array to copy cache identifier, HESSID and realm identifiers, the length of the array is not checked and OOB read would occur
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11893

CVE ID CVE-2018-11893
Title Buffer Copy without Checking Size of Input in WLAN
Description While processing vendor scan request, when input argument – length of request IEs is greater than 2048 can lead to a buffer overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 4/20/2018
Customer Notified Date 7/2/2018
Patch

CVE-2018-11894

CVE ID CVE-2018-11894
Title Integer Overflow to Buffer Overflow in WLAN
Description While processing preferred network offload scan results integer overflow may lead to buffer overflow when large frame length is received from FW
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11895

CVE ID CVE-2018-11895
Title Potential Buffer Overflow in WLAN
Description Improper length check Validation in WLAN fucntion can lead to driver writes the
Default rsn capabilities ( 2 bytes ), to the memory not allocated to the
frame
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11897

CVE ID CVE-2018-11897
Title Buffer Copy Without Checking Size of Input in WLAN
Description While processing diag event after associating to a network out of bounds read occurs if ssid of the network joined is greater than max limit.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11898

CVE ID CVE-2018-11898
Title Buffer Copy Without Checking Size of Input in WLAN
Description While processing start bss request from upper layer, out of bounds read occurs if ssid length is greater than 32.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11902

CVE ID CVE-2018-11902
Title Improper Validation of Array Index in WLAN
Description In function ol_rx_in_order_indication_handler, msdu_count is processed from msg_word, which is sent by firmware. msdu_count is later used unchecked in function htt_rx_ring_fill_n, which can cause OOB access if the value of msdu_count is not valid.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 4/3/2018
Customer Notified Date 7/2/2018
Patch

CVE-2018-11903

CVE ID CVE-2018-11903
Title Improper Validation of Array Index in WLAN
Description In the function wma_update_intf_hw_mode_params, vdev_id received from the caller function wma_pdev_set_hw_mode_resp_evt_handler, is used as the array index for wma->interfaces. If vdev_id exceeds wma->max_bssid(5) then a possible OOB write could occur.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Patch

CVE-2018-11904

CVE ID CVE-2018-11904
Title Return of Stack Variable Address in WLAN
Description Asynchronous callbacks received a pointer to a caller’s local variable. Should the caller return early (e.g., timeout), the callback will dereference an invalid pointer.
Technology Area WLAN HOST
Vulnerability Type CWE-562 Return of Stack Variable Address
Access Vector Local
Security Rating High
Date Reported 1/22/2018
Customer Notified Date 7/2/2018
Patch

CVE-2018-3570

CVE ID CVE-2018-3570
Title Untrusted Pointer Dereference in Power
Description Improper usage of list_for_each macro In the cpuidle drive can lead to an untrusted pointer dereference.
Technology Area Power
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating Medium
Date Reported 11/10/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3573

CVE ID CVE-2018-3573
Title Improper Restriction of Operations within the Bounds of a Memory Buffer in Boot
Description While relocating kernel images with a specially crafted boot image, an out of bounds access can occur.
Technology Area Boot
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating Medium
Date Reported 10/2/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3574

CVE ID CVE-2018-3574
Title Improper Input Validation in Kernel
Description Userspace can request ION cache maintenance on a secure ION buffer for which the ION_FLAG_SECURE ion flag is not set and cause the kernel to attempt to perform cache maintenance on memory which does not belong to HLOS.
Technology Area Kernel
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 11/1/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3586

CVE ID CVE-2018-3586
Title Integer Overflow to Buffer Overflow in Multimedia
Description An integer overflow to buffer overflow vulnerability exists in the ADSPRPC heap manager.
Technology Area DSP Service
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 10/25/2017
Customer Notified Date 2/5/2018
Patch

CVE-2018-3597

CVE ID CVE-2018-3597
Title Improper Input Validation in Multimedia
Description In the ADSP RPC driver, an arbitrary kernel write can occur.
Technology Area DSP Service
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Network
Security Rating High
Date Reported 11/2/2017
Customer Notified Date 3/5/2018
Patch

CVE-2018-5889

CVE ID CVE-2018-5889
Title Improper Restriction of Operations within the Bounds of a Memory Buffer in Boot
Description While processing a compressed kernel image, a buffer overflow can occur.
Technology Area Boot
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5905

CVE ID CVE-2018-5905
Title Buffer Copy Without Checking Size of Input in DIAG
Description A race condition while accessing driver->num_clients can lead to out of boundary access for driver->client_map and driver->data_read data structures
Technology Area Core Services
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/8/2017
Customer Notified Date 5/7/2018
Patch

Industry Coordination

Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

  • Differences in assessment of some specific
    scenarios that involves local denial of service or privilege escalation
    vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 September 4, 2018 Bulletin Published